Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
0
Helpful
6
Replies

iPhone fails to authenticate within ACS.

j.conceicao
Level 1
Level 1

‎01-28-2009 04:05 PM

Hi There!

I have created a VPN group (PIX v8.0(3))to the corporate iPhones, they work fine if the authentication is LOCAL, but if I request them to authenticate within ACS, it fails. What should I do?

Labels:
0 Helpful
6 Replies 6

andrew.prince
Level 10
Level 10

‎01-29-2009 04:18 AM

Perform a authentication check from the PIX/ASA using the uid/pwd that is configured in the ACS to make sure the details are valid.

HTH>

0 Helpful

j.conceicao
Level 1
Level 1
In response to andrew.prince

‎01-29-2009 04:27 AM

Yes they are valid. Works fine from my desktop.

0 Helpful

andrew.prince
Level 10
Level 10
In response to j.conceicao

‎01-29-2009 04:29 AM

OK - is the config in the PIX/ASA valid?

Have you added the PIX/ASA in the ACS as a valid network device?

0 Helpful

j.conceicao
Level 1
Level 1
In response to andrew.prince

‎01-29-2009 04:48 AM

So far it is.

Yes, I have added the PIX in the ACS. I have about 300 L2L Dynamic connection, 3 PIX x PIX/ASA and about 150 remote access.

Here is the set pointing to ACS:

aaa-server PIX protocol radius

aaa-server PIX (Corp) host 10.0.30.3

timeout 5

key auditor

0 Helpful

andrew.prince
Level 10
Level 10
In response to j.conceicao

‎01-29-2009 04:56 AM

The the only thing left to test - is to log in via a remote VPN connection using the same details the iPhone is using. If it passes - the issue is with the iPhone - it if fails, then you need to check the ACS logs for the failure reason.

HTH>

0 Helpful

j.conceicao
Level 1
Level 1
In response to andrew.prince

‎01-29-2009 07:35 AM

This group has access via remote VPN and via iPhone.

Here is mu configuration:

object-group network Painel

network-object 172.30.23.0 255.255.255.0

!

access-list Outside_cryptomap extended permit ip any object-group Painel

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.102 object-group Painel eq 7778

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.109 object-group Painel eq www

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.169 object-group Painel eq 8080

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.191 object-group Painel eq 8080

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.235 object-group Painel eq www

access-list Corp_NAT_0_out extended permit tcp host 10.0.30.253 object-group Painel eq www

!

access-list Painel_SplittunnelAcl standard permit host 10.0.30.102

access-list Painel_SplittunnelAcl standard permit host 10.0.30.109

access-list Painel_SplittunnelAcl standard permit host 10.0.30.169

access-list Painel_SplittunnelAcl standard permit host 10.0.30.191

access-list Painel_SplittunnelAcl standard permit host 10.0.30.235

access-list Painel_SplittunnelAcl standard permit host 10.0.30.253

!

ip local pool PainelACCESS 172.30.23.1-172.30.23.254 mask 255.255.255.0

!

group-policy Painel internal

group-policy Painel attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Painel_SplittunnelAcl

!

tunnel-group Painel type ipsec-ra

tunnel-group Painel general-attributes

address-pool PainelACCESS

authentication-server-group PIX

authorization-server-group PIX

accounting-server-group PIX

default-group-policy Painel

tunnel-group Painel ipsec-attributes

pre-shared-key *

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents